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Abstract — We propose a novel distortion-theoretic approach 
to a secure three-party computation problem. Alice and Bob 
have deterministic sequences, and Charlie wishes to compute a 
normalized sum-type function of those sequences. We construct 
three-party protocols that allow Charlie to compute the function 
with arbitrarily high accuracy, while maintaining unconditional 
privacy for Alice and Bob and achieving vanishing commu- 
nication cost. This work leverages a striking dimensionality 
reduction that allows a high accuracy estimate to be produced 
from only a random subsampling of the sequences. The worst- 
case distortion of the estimate, across all arbitrary deterministic 
sequences of any length, is independent of the dimensionality 
(length) of the sequences and proportional to inverse square 
root of the number of samples that the estimate is based upon. 



I. Introduction 

We consider a secure three-party computation problem, 
where Alice and Bob have deterministic sequences x n 
and y n respectively, and Charlie wishes to compute a 
normalized sum-type function of the form f„(x n ,y n ) := 
(1/n) Y^i=\ fi{ x iiVi)- The objective is to construct a three- 
party protocol that securely computes the function with high 
accuracy and low communication cost. We assume that the 
parties are semi-honest (passive), which means that they 
will correctly follow the steps of the protocol, but will 
attempt to infer the maximum possible information about 
each other's sequences from the data available to them. 
We require unconditional privacy, which means (in a strong 
statistical sense) that Alice and Bob are unable to infer any 
information about each other's sequences and that Charlie 
is unable to infer any information about both sequences 
(x n ,y n ) other than what can be inferred from his function 
estimate F n (x n , y n ). Figure [TJroughly illustrates our problem 
setup. 

Unlike many other secure multi-party computation formu- 
lations (such as [1], [2], [3], [4]), which aim to make the 
probability of error, Pr \F n (x n , y n ) ^ f n (x n ,y n )], equal to 
zero or negligible, we consider a novel distortion-theoretic 
approach that aims to minimize the maximal expected abso- 
lute error 



X input sequences y 



max E 

x n y n 



\F n {x n ,y n )-f n (x n ,y n )\ 
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Fig. 1. Alice and Bob are given deterministic sequences x n and y n . The 
three parties then execute a protocol consisting of multiple rounds of local 
computations and pairwise communications. At the end of the protocol, 
Charlie produces an estimate of a function of the sequences, F n (x n ,y n ). 



where the expectation is with respect to any randomness in- 
herent to the protocol in generating the estimate F n (x n , y n ). 
The distortion is the worst-case expected absolute error 
across the deterministic sequences (x n ,y n ). The communi- 
cation cost is given by the number of bits of transmission 
required by a protocol divided by the length of the sequences 
n. Our main result is the construction of unconditionally 
private protocols that allow Charlie to estimate any nor- 
malized sum-type function f n (x n ,y n ) with both vanishing 
distortion and vanishing communication cost as n — >• oo. 
While the (perfectly) secure multi-party computation tech- 
niques of [1] can be used to compute any normalized sum- 
type function without error (zero distortion), they require 
0(n) transmissions (see Section UlI-EI ) and hence have non- 
vanishing communication cost. 

The key to our result is the realization that any normalized 
sum-type function can be evaluated accurately even after 
drastically reducing the dimensionality of its inputs (x n ,y n ). 
Although there are elegant dimensionality reduction results 
which show that distances can be approximately preserved 
by mapping high-dimensional signals into a low-dimensional 
subspace [5], [6], they are within a centralized computation 
context and without privacy constraints. We consider a much 
more basic dimensionality reduction that is achieved by 
a simple random subsampling. It was shown in [7] that 
an accurate estimate of the joint type of (x n ,y n ) can be 
produced from a randomized subsampling of the sequences 
(x n ,y n ). We produce a simpler alternative analysis of the 
work in [7], which allows us to analyze the expected dis- 
tortion, and apply this result to create accurate estimates 
of normalized sum-type functions in a manner that is both 



secure and communication efficient. The randomization in 
the subsampling is crucial for overcoming the worst-case dis- 
tortion criterion, and thereby achieving vanishing distortion. 
Subsampling by a factor much smaller than n allows us to 
use fewer invocations of the secure computation primitives 
of [1] while securely producing the function estimate with 
vanishing communication cost. 

It is important to highlight the distinction between a van- 
ishing error-probability criterion and a vanishing expected- 
distortion criterion. Distributed computation of the joint type 
with a vanishing error-probability needs a strictly positive 
communication bitrate which does not vanish with increas- 
ing blocklength [7], [8], [9], whereas the bitrate vanishes 
with blocklength for vanishing expected-distortion [7]. Our 
distortion-theoretic approach to secure multi-party compu- 
tation thus trades exact computation for arbitrarily high 
accuracy in order to gain the advantage of vanishing com- 
munication cost. This makes our work particularly relevant 
to applications where data size is overwhelming and only a 
highly accurate, but not exact, computation is necessary. 

A couple of examples of potential applications are secure 
computation of statistics in distributed databases and dis- 
tributed biometric authentication. In the first example, the 
sequences of Alice and Bob are viewed as a distributed 
database from which Charlie wishes to extract a joint statis- 
tic, represented by the normalized sum-type function, without 
requiring Alice or Bob to reveal any additional information 
about their data. Our approach allows Charlie to securely 
compute the statistic with arbitrarily high accuracy while 
attaining vanishing communication cost. 

In the biometric authentication problem, Charlie wishes 
to verify that Alice's biometric sequence x n is "close" to a 
reference biometric sequence y n held by the authentication 
authority Bob, without requiring Alice or Bob to directly 
reveal their sequences to any other party. By having Charlie 
compute a normalized sum-type function, where fx is an 
appropriately chosen metric, Charlie can accurately compute 
the "closeness" of Alice's biometric to the reference held 
by Bob in order to decide whether to accept or reject the 
identity assertion by Alice. Recent work [10] has taken a 
cryptographically secure approach in computing Hamming 
distance and sum of squared errors for fingerprint feature 
vectors. Our approach can compute a much broader set of 
metrics with arbitrarily high accuracy, unconditional privacy 
and vanishing communication cost. 

II. Problem Formulation and Main Result 

We study a secure function computation problem involving 
three parties named Alice, Bob, and Charlie. Alice and Bob 
each have a sequence of n symbols, denoted respectively by 
x n := {x u ...,x n ) € X n and y n := {yi,...,y„) e y n , 
where X and y are finite alphabets. Charlie wishes to com- 
pute a function, f n (x n ,y n ), of Alice and Bob's sequences. 
The objective is to design a three-party protocol that allows 
Charlie to securely compute f n (x n ,y n ) with high accuracy 
and low communication cost. In the remainder of this section, 
we describe the class of functions of interest and make 



precise the notions of accuracy, security, and communication 
cost. 

The class of functions that we consider are the normalized 
sum-type functions, f n : X n x y n — > Q, which are 
expandable in the form 



1 " 

f n (x n ,y n ) = - V/i(xi,y,), 



for some function fx : X x y — > Q. 

A protocol is a sequence of instructions that the parties 
correctly follow. The execution of a protocol consists of a 
sequence of local computations and message transfers be- 
tween the three parties via bi-directional, error-free channels 
that are available between each pair of parties. The messages 
sent at any stage of the execution of the protocol may 
depend on previously received messages, the sequences that 
are available to the parties sending the messages, and any 
independent local randomness that is generated. When the 
execution of the protocol terminates, an estimate F n (x n , y n ) 
is produced by Charlie. While the inputs (x n ,y n ) and the 
function /„ are deterministic, the estimate F n (x n ,y n ) may 
be random due to inherent randomness in the protocol. We 
define the view of a party as the set of all messages sent or 
received, and any local randomness generated by that party 
during the execution of the protocol. 

Accuracy: The distortion criterion to be minimized is the 
maximal expected absolute error, given by 



max E 

x n ,y n 



\F n (x n ,y n )-f n (x n ,y n )\ 



where the expectation is with respect to the local randomness 
that is generated in the execution of the protocol. We 
emphasize that x n and y n are deterministic sequences and 
the distortion is the worst-case expected absolute error. 

Security: We will consider protocols that achieve uncon- 
ditional privacy for semi-honest parties. The semi-honest 
assumption means that the parties will correctly follow the 
protocol. Unconditional privacy against Alice and Bob means 
that after the execution of the protocol, the views of Alice 
and Bob do not reveal any information, in a strong statis- 
tical sense, about the other party's sequence. Unconditional 
privacy against Charlie means that after the execution of the 
protocol, the view of Charlie does not reveal any information, 
in a strong statistical sense, about (x n ,y n ) other what can 
be inferred from F n (x n ,y n ). Let the random variables Va, 
Vb, and Vc respectively denote the views of Alice, Bob, and 
Charlie after the execution of the protocol. 

A protocol is private against Alice if the distribution of 
the view of Alice is only parameterized by x n , that is, for 
all (x n ,y n ,y n ) in X" x y n x y n , 

Pv A {v a ;x n ,y n ) = Pv A {v a ;x n ,y n )- 

Similarly, a protocol is private against Bob, if the distri- 
bution of the view of Bob is only parameterized by y n , that 

is, for all (x n ,x n ,y n ) in X n x X n x y n , 

P VB {v b -x n ,y n ) = P VB {v b] x n ,y n ). 



A protocol is private against Charlie if the conditional 
distribution of the view of Charlie given the estimate is not 
parameterized by x n or y n , that is, for all (x n , x n , y n , y n ) 
in X n x X n xfx y n , 

P Vcl pJv c \f;x n ,y n ) = P VclPn (v c \f;x n ,y n )- 

A protocol is unconditionally private if it is private against 
Alice, Bob, and Charlie as defined above. 

The security conditions are based on the strong notion 
of statistical indistinguishability. Note that for an uncondi- 
tionally private protocol, if Alice and Bob's deterministic 
sequences (x n ,y n ) were replaced with random variables 
(X n ,Y n ) drawn from any distribution, then the views of 
each player would satisfy the following Markov chains, 

V A -X n -Y n , 
from privacy against Alice, 

V B -Y n -X n , 
from privacy against Bob, and 

V c -F n -(X n ,Y n ), 

from privacy against Charlie. These Markov chains are 
analogous to the conditional mutual information conditions 
of [3] when appropriately adapted to our problem involving 
three semi-honest parties. 

Communication Cost: For a given protocol, let k denote 
the number of bits necessary to send all of the messages 
required by the protocol. The communication cost of a 
protocol is given by the rate R := (k/n). 

Our main result is that any normalized sum-type function 
can be computed with arbitrarily high accuracy, vanishing 
communication cost, and unconditional privacy. 

Theorem 2.1: There exist unconditionally private, ran- 
domized, three-party protocols such that, for all m <G 
{1, . . . , n}, any normalized sum-type function can be com- 
puted with maximum expected absolute error bounded by 

l/ilb 



e n < 

and total communication cost on the order of 

O(mlogn) 
R = . 

n 

By appropriately setting the parameter m we get the 
following corollary. 

Corollary 2.1: By choosing a sequence of parameters m„ 
such that as n goes to oo, 

m n log n 

m n —> oo, > (J, 

n 

any normalized sum-type function can be computed with 
unconditional privacy, and maximal expected absolute error 
e n — > and communication cost R — J- as n —> oo. 



III. Proof of Theorem I2.1I on Vanishing 
Distortion and Vanishing Rate 



We will prove the theorem by constructing protocols that 
attain the performance guarantees of Theorem 12. II Our pro- 
tocols produce a function estimate generated from only a ran- 
dom subsampling of the sequences (x n ,y n ). This technique 
utilizes the striking dimensionality reduction result of [7] 
that an accurate estimate of the joint type of (x n ,y n ) can be 
produced from only a random subsampling of the sequences 
(x n ,y n ). Additionally, we use the fact that a normalized 
sum-type function can be computed from the joint type. 
We will first discuss the dimensionality reduction result in 
Section IIII-AI in order to analyze the function estimate in 
Section IIII-BI We will then construct unconditionally private 
protocols in Section ITlI-CI that securely produce this function 
estimate with vanishing communication cost on account of 
the random subsampling. 



A. Estimating the Joint Type 

Outside of the context of secure function computation, 
we first discuss a dimensionality reduction result concern- 
ing the estimation of the joint type (empirical distribution) 
Px n .y"{x,y) from only a random subsampling of the se- 
quences (x n ,y n ). This subsampling technique and related 
results were first presented in [7]. Here we present an 
alternative and much simpler analysis, which allows us to 
compute bounds on the expected distortion and extend these 
results to the estimation of general normalized sum-type 
functions. 

For a given subsampling parameter m G {1, ...,n}, 
choose m locations from {1, . . . , n} uniformly without re- 
placement. Let this index set of randomly chosen locations 
be denoted by the random variable I, and (xi, j/i)ie/ denote 
the sequence subsampled from (x n ,y n ) according to the 
locations in I. 

We define the full and partial frequency functions (his- 
tograms) N, L : X x y — ► {0, . . . , n} according to 



N(x,y) := nP x „^(x,y), 

L{x,y) := \{i E I : (x l ,y l ) = (x,y)}\. 

Note that N(x,y) is a deterministic quantity, while L(x,y) 
is a hypergeometric random variable, since m samples are 
chosen without replacement from a set of n, where N(x, y) 
of them can contribute to the value of L(x,y). 

Let the estimate of the joint type be given by 



,(x,y) :-- 



L(x,y) 



in 



The mean and variance of this estimate are given by 

E[L(x,y)} 



E[P„{x,y) 



Vax[P x n <y n(x,y) 



m 
N(x,y) 

n 

P x n, y) , 
Vax[L(a:,y)] 
m 2 

N(x, y)(n — N(x, y))(n — m) 



mn 2 (n — 1) 



< 



N(x,y) 



Thus, the mean squared error summed across (x, y) is given 
by 



JMSB 



E 



\Px^, y ^(x,y) - P x n, y n{x,y)\ 



Lx,y 



£Var[P x » )V »(a:,y)] < - 



Continuing with Jensen's inequality yields a bound on the 
expected L2 norm of the error, 



E 



\p „ „ _ p „ „ 

I J x n ,y n A x n ,y n I 



Thus, for any pair of sequences (x n ,y n ) of any length 
n, an estimate of the joint type of the sequence-pair can be 
produced from only m random subsamples while achieving 
expected L2-error inversely proportional to i/m. 

B. Obtaining the Function Estimate from the Joint Type 

The random subsampling approach can be used to estimate 
any normalized sum-type function by expressing it as a 
function of the joint type as follows: 

n 

f n (x n ,y n ) = -Y,fi(Xi, yi ) 

i=l 

= -T / fi(x,y)N(x,y) 

x,y 

= ^2fi(x,y)P x n iV n(x,y). 



x,y 



Let an estimate of f n (x n ,y n ) based on only the subsampled 
sequence (xi,yi) ie i be given by 

F n (x n ,y n ) := -y2fi(xi, yi ) (1) 
m L — ' 

x,y 

= J2.fi(x,y)P x ^, v ^(x 7 y). 



The absolute error of the function estimate 

\F n (x n ,y n )-f n (x n ,y n )\ 

= j ^2fi{x,y)(Px",y"(x,y) - P x -n. t yn.(x,y)) 

x,y 

— II f 1 II 2 ' H^» n iJ/ n _ Px n ,y n || 2 j 

by the Cauchy-Schwarz inequality, where 



fi 



Thus, the expected absolute error is bounded by 

I/1II2 



E 



F n (x n ,y n )-f n (x n ,y n ) 



< 



C. Function Evaluation Protocols 

We provide three protocols, all of which make use of 
unconditionally secure multiparty computation methods to 
produce F n (x n , y n ) as given by (fTJ. The common first step 
is for Alice to randomly choose the m subsampling locations 
/ C {1, . . . , n}, uniformly without replacement, and commu- 
nicate them to Bob with m log n bits. From here, the specifics 
of the protocols differ, but they all require Alice and Bob 
to work with only the subsampled sequences (xi, yi)iei and 
result in Charlie computing fi(xi,yi) = mF n (x n ,y n ) 
via finite field arithmetic. Since the domain X x y is 
finite, the range of f\ is a finite subset of Q. Thus, with 
a sufficiently large finite field, T m , to prevent interger- 
arithmetic overflow, the computation of JZiei h(. x iiVi) can 
be performed with finite field arithmetic in F m . The finite 
field representation of J^iei fi( x i> Hi) can tnen ^ e converted 
back into a rational number and divided by m to produce 
K(x n ,y n ). 

All three protocols require 0(m log |.F TO |) bits in addition 
to the mlogn bits required to transmit /. Since the size of 
the finite field need only be on the ordei[| of \ J- m \ = 0(m), 
the total number of bits needed is actually dominated by the 
transmission of I and is on the order of k = 0(m log n). We 
will discuss and compare the specific communication cost 
of each protocol. All of the protocols are unconditionally 
private, however detailed proofs of privacy are omitted due 
to length restrictions. 

D. One-Time Pad Protocol 

Our first protocol leverages a type of homomorphism 
achievable with one-time pad encryption. Alice and Bob 
respectively send their subsampled sequences (xi)i^i and 
(yi)j e /, masked (encrypted) with one-time pads, to Char- 
lie. From these encrypted sequences, Charlie computes and 
returns to Alice and Bob encrypted additive shares of the 
partial frequency function L. After exchanging their one- 
time pads, Alice and Bob decrypt their respective messages 
from Charlie to obtain the additive shares of L, from which 

2 The computation can be expressed in a finite field of a size on the order 
of 0(m) since it is a sum of m rational values from the finite image set 
of/i. 



TABLE I 

Comparison of Three-Party Protocols for Securely Computing Normalized Sum-Type Functions 



Protocol 


Bits required in addition to m log n 


Advantages 


1) One-Time Pad 


2m(log \X\ + log \y\ + \X\\y\ log \T m \) + 3 log \T m \ 


Simplest techniques: one-time pads, additive shares 


2) Poly Secret-Share L 


(2m(\X\ + \y\) + 2) log \F m \ 


Most efficient for complex f \ 


3) Poly Secret-Share Direct 


(Varies), at best (4m + 2) log \T m \ 


Most efficient for simple fx 



they derive additive shares of the function estimate that are 
returned to be recombined by Charlie. This technique of first 
computing additive shares of L, as an intermediate step, takes 
advantage of the function estimate expansion given by (0. 
The transmissions required by and the complexity of imple- 
menting this protocol are independent of the complexity of 
/i (except indirectly through the necessary size of T m ). 
The detailed steps of this protocol are: 

1) Alice generates a one-time pad (a^)^/, by choosing 
cti ~ iid Unif({0, . . . , \X\ — 1}). The pad is applied 
to (xi)i£i, producing the encrypted sequence (a^gi, 
by setting = ® ai {xi), where ® ai (xi) is a circular 
shift of the value of x% over an arbitrary ordering of 
X by oti positions. 

2) Similarly, Bob generates a one-time pad (/3»)iei, with 
Pi — iid Unif({0, . . . , \y\ - 1}), and applies it to 
(Vi)iei to produce (jj l ) ie i by setting y l = 8 

3) Alice and Bob respectively send (xj)jgj and (y^iei 
to Charlie, using a total of m(log \X\ + log \y\) bits. 

4) For each i G I, Charlie produces A/;, an \X\ x \y\ 
matrix indexed by (x, y) <G X x y, where Mi(x, y) = 
l{x. y.y(x, y), which is the indicator function equal to 
one if (xi,yj) = (x,y) and zero otherwise. 

5) Charlie splits each Mi into additive shares, by first 
independently choosing, across all (i, x,y) € / x 
X x y, MA,i{x,y) ~ iid Unif(J>„), then computing 
M Bli = Mi - M A<i . 

6) Charlie sends the matrices (MA,i)iei to Alice and 
(M B ,i)iei to Bob, using 2m|Af||y| log |J" m | bits (in 
total). 

7) Alice and Bob exchange their one-time pads, (otiji^i 
and (/3i)i G j, using m(log \X\ + log |^|) bits. 

8) Alice and Bob separately decrypt {MA,i)iei an d 
(MB,i)iei to compute additive shares of L, via 

L A (x,y) = ^2M A ,i(® ai (x),®f) i (y)), 
iei 

L B (x,y) =J2M B!i (® ai (x),® Pi (y)). 
iei 

9) AUce and Bob separately compute additive shares of 
the function computation, via 

Fa = ^2fi(x,y)L A (x,y), 
Fb = '*Tfi(x,y)L B (x,y). 

x.y 



10) Alice independently generates random saf0 Z uni- 
formly over T m , which she sends to Bob using 
log|J" m | bits. 

11) Alice and Bob send F A + Z and F B - Z to Charlie 
using a total of 2 log | J" m | bits. Note that Fa + F B = 
mF n (x n ,y n ) because of the definition of Mi(x,y). 
Thus, Charlie can produce F n (x n ,y n ). 

Thus, in addition to the m log n bits needed to convey the 
sampling set / from Alice to Bob, this protocol requires 
an additional 2m(log|Af| + log |y| + \X\\y\log\T m \) + 
31og |J> n | bits, which is on the order of 0(mlog |J-" m |). 

E. Polynomial Secret-Sharing Protocols 

Our next two protocols employ the secure multi-party 
computation methods of [1], which exploit the homomorphic 
properties of polynomial -based secret sharing [11]. 

Our second protocol takes an approach quite similar to 
the first but replaces the homomorphism achieved with one- 
time pad encryption with the secure multi-party computation 
methods of [1]. The three parties first compute homomorphic 
shares of the partial frequency function L, from which ho- 
morphic shares of the function computation can be obtained. 

The detailed steps of this protocol are: 

1) For each (i,x) € I x X, Alice independently chooses 
cti X ~ iid Unif(J r ,„) and constructs the polynomial 

9ix(p) = a lx p+ l {xi} (x), 

where l^ x .y(x) is the indicator function equal to 1 if 
Xi = x and otherwise. For each (i, x) G I x X, Alice 
sends the sample gi X (2) to Bob and the sample <7j X (3) 
to Charlie using 2m\X\ log \J- m \ bits, while keeping 
the sample gi X (l) for herself. 

2) For each (i,y) £ I x y, Bob independently chooses 
ftiy ~ iid Unif(J r ,„) and constructs the polynomial 

where l^ y .^(y) is the indicator function equal to 1 if 
yi = y and otherwise. For each (i, y) G I x y, Bob 
sends the sample hi y {\) to Alice and the sample hi y (3) 
to Charlie using 2m|3^| log \F m \ bits, while keeping the 
sample hi y (2) for himself. 

3) Each party can compute a sample of the polynomial 
given by 

F (p) = ^2fi(x,y)^2g ix (p)h ly (p). 

x,y i£l 

3 The random salt is used to maintain security by statistically decorrelating 
Alice and Bob's function estimate shares from information already held by 
Charlie. 



Alice can compute F(l) from her samples of gi X (\) 
and hi y {l). Likewise, Bob can compute F(2) and 
Charlie can compute F(3). 
4) It follows that 

x.y i£l 

= mF n {x n ,y n ), 

and that F(p) is a degree-two polynomial of the 
variable p. The values of F(l) and F(2) are sent, 
using 21og|J r m | bits, to Charlie, who already has 
F(3). Via polynomial interpolation, Charlie produces 
F(0) = mF n (x n ,y n ) and hence F n (x n ,y n ). 
Thus, in addition to the m log n bits needed to convey the 
sampling set / from Alice to Bob, this protocol requires an 
additional (2m(|#| + |^|) + 2) log \F m \ bits, which is on the 
order of 0(m log |.F m |). 

Our final protocol takes a direct approach toward comput- 
ing Y^iei fi( x i> Hi)' by first using the secure computation 
methods of [1] to compute homomorphic shares of f\ (xi,yi), 
which can then be summed across i S I in order to produce 
shares of the function estimate. This approach directly re- 
flects the expansion of the function estimate given by (|T). 
The main steps of this protocol are as follows: 

1) For each i S /, Alice, Bob, and Charlie use the secure 
computation methods of [1] to respectively obtain 
shares f A {x l ,y l ), f B {xi,yi), and f c (xi,yi), which 
are samples of a random polynomial with a zero-order 
coefficient equal to fi(x i} yi). 

2) Alice, Bob, and Charlie respectively compute shares 
Fa, Fb, and Fc via 

F A = ^2 fA(Xi,yi), 

•te/ 

Fb = ^2.fB(x l ,y l ), 
iei 

iei 

which are now samples of a random polynomial with 
a zero-order coefficient equal to mF n (x n ,y n ). 

3) The values Fa and Fb are sent, using 2 log \F m \ bits, 
to Charlie who interpolates the polynomial in order to 
produce mF n (x n ,y n ), and hence F n (x n ,y n ). 

Note that the complexity of this protocol is captured in 
the first step of computing shares of fi(xi,yi). The actual 
details of this step depends on the structure of fi and how it 
can be represented by a multi-variate polynomial over a finite 
field, which, in principle, is always feasible by interpolation 
but could possibly result in a very complex polynomial. 
The first step will require at least 4mlog|J r m | bits of 
transmission for Alice and Bob to initially distribute shares 
of (xi,yi)i<=i. However, additional transmissions could be 
necessary in order to perform the degree reduction and 
randomization steps needed after each multiplication in the 
polynomial expressing f\ (see [1] for details). While the 
actual transmission cost would depend on the complexity of 



the polynomial realizing f\ , the cost would be proportional to 
Tji log \J- m \ times the multiplicative depth of the polynomial 
representation of f±. This last protocol requires at best, an 
additional (4m + 2) log \F m \ bits, however even at worst, the 
additional bits required is still on the order 0(m log |.F m |). 

F. Comparison of Protocols 

All of our protocols are unconditionally private and pro- 
duce the same estimate F n (x n , y n ) while requiring m log n+ 
0(m log | F m \) bits. Their subtle performance differences are 
in the constants of the 0(m log \F m \) term. For functions 
where /i can be represented as a polynomial with a mul- 
tiplicative depth of one, the third protocol is the simplest 
and most efficient, using only {Am + 2)log|J r „ l | bits in 
addition to the mlogn needed to trasnmit /. However, for 
functions where f\ is more complicated (e.g., containing 
absolute values or thresholding), and needs a polynomial 
representation of multiplicative depth greater than one, the 
complexity and the bits needed for the third protocol in- 
crease. For such functions it is better to use the first and 
second protocols which compute, as an intermediate step, 
homomorphic shares of the partial frequency function L. 
The complexity and bits required by the first two protocols 
are not affected by the complexity of fx (except indirectly 
through the necessary size of F m ), and hence are more 
efficient than the third protocol for very complex functions 
f\. The first protocol is less efficient than the second, but is 
of interest since it demonstrates how the simple techniques 
of one-time pad encryption and additive shares are sufficient 
to construct a secure computation protocol for this problem. 
Table U summarizes the advantages and communication costs 
of the three protocols. 

IV. Final Remarks 

We have introduced a distortion-theoretic approach for 
secure multi-party computation with unconditional privacy. 
By extending the dimensionality reduction result of [7], 
we have constructed protocols that securely compute any 
normalized sum-type function with arbitrarily high accuracy 
and vanishing communication cost. The technique of ran- 
domized subsampling allowed us to overcome the worst-case 
distortion criterion, yielding the result that for any sequences 
(x n ,y n ) of any arbitrary length n, the expected absolute error 
of the function estimate constructed from only m random 
subsamples is inversely proportional to ^frn. 

For clarity of exposition, we only considered the scenario 
in which Charlie wished to compute a function of Alice and 
Bob's sequences. However, the protocols are easily modified 
to allow each party to securely compute a unique normalized 
sum-type function. The security conditions are also easily 
modified to reflect this scenario. The results can also be 
extended to more than three parties, by constructing protocols 
using the methods of [1] along with randomized subsam- 
pling to provide dimensionality reduction. To extend these 
results to a two-party scenario, the randomized subsampling 
technique could be paired with secure function computation 
techniques that utilize an oblivious transfer primitive [12] or 



a binary erasure channel [4]. A notion of communication cost 
similar to [4] could be defined by counting the number of 
erasure channel uses or oblivious transfer primitive uses and 
dividing by n. In these extensions, it would also be possible 
to prove similar results on achieving vanishing distortion and 
vanishing communication cost, while maintaining uncondi- 
tional security. 
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